Philip Lavers

Thank you for the responses. I have successfully configured a CS onto 2 load balances and used LDAP/Groups for AAA etc. That is working, and also had to configure additional security , websockets etc for those "Security guys" Now they want Azure MFA , WAF and Conditional Access policies including audit logs sent to their SEIM. More to learn.. Thanks again - at least I am on the right path

Is it possible / feasible to add an Azure MFA Redirection policy onto a Content Switch. The CS is public facing and directs traffic based on a policy/action to different backend Load Balancers? I envision the traffic hitting the CS and would need a redirection policy to Azure , and once completed the traffic would be directed to the back end Load Balancer(s). I know I can do this on a Gateway service, but then I need multiple Gateway services - 1 for each URL. Or I front the Content Switch with a Gateway Service, do the MFA and then hit the CS? Can anybody suggest what I should be doing, and point me in the right direction? Thank you

We found the problem, and you guys that helped were correct. Firewall! configuration was in fact wrong. If it helps somebody else the list of url's to be whitelisted on a firewall include these , and we had to register the associated IP's: Download.citrixnetworkapi.net 34.202.177.254 107.20.215.104 52.200.108.121 Agent.adm.cloud.com 54.165.90.194 52.72.132.100 34.200.175.42 adm-prod-backup-.*.s3..*amazonaws.com [nslookup s3.amazonaws.com] 52.217.84.238 52.217.47.158 52.216.105.245 52.217.65.246 52.217.46.46 52.217.105.174 52.217.135.208 54.231.171.32 Lessons learnt, and a month of troubleshooting. Thanks again to Carl and Morten who in fact diagnosed the problem correctly.

Hello, so I am learning this hard way, and I must say the documentation is really confusing. Firstly, we have ADM Cloud Service, so simply trying to connect to that. On-Premises no longer an option as we migrated everything to Azure. I understand the following basic rules:- On-Prem MPX,SDX and VPX you can use the built in agent – no need for Agents (But if you don’t have an ADM Service in cloud then you deploy the agents and the on-prem ADM Version) – Think I got that right! Cloud VPX version needs to be 13.0 Build 46+ and you have to use a Service Agent to talk to ADM Service in cloud. What I am still figuring out is on the ADC’s in Azure, are these 2 options. 1. Citrix ADM Service Connect or Configure ADM Parameters – can be Enabled, 2. Configure Cloud Parameters (Controller FQDN, Controller Port etc) along with a cloud profile. Are these redundant, legacy not used for Cloud – perhaps used for different scenarios. I think with all the name changes, version changes, new 3 letter acronyms etc – if you do not know the history of ADC heaven help you! All I need, is this Azure Service Agent to connect to ADM Service, and register my 2 ADC’s so that I can build out 2 API Gateways for some fairly complex integration with a 3rd party service provider. Clearly got a lot of catch learning up to do, and maybe I simply build what I need on ADC but I like the look of the Security Insights. Thank you for your interest, and hopefully I can push this and learn something that I can share on this forum for others. [Text Description automatically generated] From: Developer forum Reply to: Reply to NetScaler Community <135c0b4jhgbfaxab.c0m9dltitepyrzwr.6gn37jdjx7v6b9en@wri96kf8o3stn6zs.tdw56kwql3480q.8b-13r54eae.na212.chatter.salesforce.com>

Been there, done that. It’s why I reached out to this forum. Will log another ticket and push it to be escalated. Thank you for the help. [Text Description automatically generated] From: Developer forum Reply to: Reply to NetScaler Community <0-19v2jgrbixkuvj.6dr51a8dawbk44a2.7fafutuf16bx4qln@g36gxt9nlhpuoncq.ats9xl5varxz4lzs.8b-13r54eae.na212.chatter.salesforce.com>

Yes, exactly that. We tried with this option and without and there is no difference. [cid:image001.png@01D9833E.55E1C250] [Text Description automatically generated] From: Developer forum Reply to: Reply to NetScaler Community <0-1vqj9jamcl949d.jkj03su1lrv517pu.ko5nj28eiravdqvp@p21hvemq4xgv6woz.emu4fcbehvo6bbx4.8b-13r54eae.na212.chatter.salesforce.com>

Hi, The goal is to use the ADM features. The problem is that the Service Agent will not register in ADM – Hence problem is onboarding an ADM Agent in ADM- Cloud. Hope that helps [Text Description automatically generated] From: Developer forum Reply to: Reply to NetScaler Community <1atmo714ru23gd71.8q01laq0yeovgrv2.k77t81r6csxer8fz@c45i347eoi3kcp71.yhd7szpm5p86zg.8b-13r54eae.na212.chatter.salesforce.com>

Hello, we did do this and ran a number of curl commands and the ports seem open. The only possible doubt is the AWS Backup URL [cid:image001.png@01D98329.806571D0] I am beginning to think that the issue may lie on the ADM Portal. We did have 2 VPX’s in a private DC and we were able to manually configure the built in agent to connect to ADM. This worked fine as a test. They were on IP’s 10.10.24.140 and 10.10.24.180. We have since decommissioned these 2 VPX and build new in Azure using a ARM template. The 2 new devices are licenses via host file method. Maybe, just maybe the old VPX’s are blocking new VPX’s as we cannot delete the old. [cid:image002.png@01D98329.806571D0] Second, is that maybe before we understood that we needed a “Service Agent” and could not use the Built In Agent” we did Enable the “ADM Service Connect” [cid:image003.png@01D98329.806571D0] And I see these 2 VPX devices listed in ADM under “Asset Inventory” [cid:image004.png@01D98329.806571D0] [cid:image005.png@01D98329.806571D0] We unable to delete these 2 devices out of ADM, and unable to “Un Tick” the Service Connect option on the ADC’s I trust email is a better way to communicate, but happy to respond via the forumn? Thank you for the help. It is much appreciated. [Text Description automatically generated] From: Developer forum Reply to: Reply to NetScaler Community <0-1jnru21k4mqisg.mran4s7dyom14dpu.tbj8q0ma29jaxj0d@0z5ztmjogrqpnajb.43l6hefqqtdluz44.8b-13r54eae.na212.chatter.salesforce.com>

Thank you for the help. Apologies for late response, was on leave for a couple days. After the Azure ARM Template build, we are trying to use the "deployment_type.py" utility to register the service agent with ADM, and it will not connect. If we run the diagnostic tool, we get the following error The service agent IP Is an internal IP with a ANY rule via 443 to Internet through a firewall. Hope screen shots are clearer. Thanks

Hi, We rebuilt the image and got Firewall team to allow "Any" from Agent IP - deployment still fails. First thing is to run the deployment process where you enter the Service URL as per the Agent Activation process on ADM Service.Check the real service url and is openRun a Diag and same issue. Question is - why enter the service url "carmel.agent.adm.cloud.com" but fails with a different url "carmel.adm.cloud.com" on both the deployment and diag tasks? This Service Agent has me done!

I suspected that and we did a trace on the Firewall but they did not pick up anything - but we did not ask if they are inspecting the traffic. I am also not convinced that the UDR routing to the Firewall is correct from my ADC Management vNet. Will go back a step, redeploy Service Agent, will redo the NSG's, firewall and routing. Can you confirm that I do not need an AAD user account - I have Global Admin in the Subscription. Thank you

Hello Carl, thanks for the reply. Have deployed Agent/MAsS to On Premises, have also integrated Built in Agent on MPX/SDX to ADM Service - but not understand requirements ti integrate ADC's in Azure. Seems like you need to install an ADM Service agent into Azure along with NSG etc to allow 443 traffic out. But service agent fails to connect to ADM service after giving the service URL and Activation key. Other option is from a Custom Deployment in ADM that simply spins. To build in Azure do you need to setup and register a AAD user, and an Application, and install Service Agent via ARM template? Just no documentation on this process.

Does anybody have good experience setting up ADM on Azure? Have 2 ADC working in Azure but cannot get ADM service to integrate.